PingCentral is an OpenID relying party for browser-based single sign-on (SSO), as well as an OAuth 2 resource server when directly accessing the admin API.
As long as an OpenID provider is able to provide the endpoints and claims required by PingCentral (most notably the user name and role), other OpenID Connect 1.0 providers, can also be used.
- Configure the OAuth client for PingCentral.
- Configure the OIDC policy for PingCentral.
- Configure the Access Token Manager for PingCentral.
This section doesn't provide all of the details of setting up access token managers, OIDC policies, or attribute contracts because these topics are complex and often specific to a customer environment.
Configuring the OAuth client for PingCentral
Define a PingCentral-specific OAuth client. These steps explain how to configure PingFederate as the OpenID provider. See Configuring OAuth clients in the PingFederate Server guide for additional information.
- In PingFederate, go to .
- In the Client ID field, enter a unique identifier the client provides to the resource server (RS) to identify itself. This identifier is included with every request the client makes.
- In the Name field, enter a descriptive name for the client instance. This name appears when the user is prompted for authorization.
In the Client Authentication field, select
Client Secret, and manually enter a secret or click
Generate Secret to have one created for you.
You will also use this secret when you configure SSO for PingCentral. See Configuring SSO for details.
- In the Redirection URIs field, enter this URI: https://<pc-host>:<pc-port>/login/oauth2/code/pingcentral.
- Locate the Allowed Grant Types field and select Authorization Code.
Optional: If you want API access with bearer tokens,
locate the field and select the Resource Owner Password
Note: PingCentral doesn't support ID token encryption.
- In the OpenID Connect field, select ID Token Signing Algorithm, and then RSA using SHA-256 from the list.
- Click Save.
Configuring the OIDC policy for PingCentral
The OAuth client will be associated with an OIDC Policy, which could be the default policy. This policy must map an attribute into the expected claim to signify the user’s PingCentral role, which is defined in the Attribute Contract, Attribute Sources & User Lookup, and Contract Fulfillment in PingFederate.
If the default PingCentral role claim name and values need to be altered to match the OIDC policy, update the <PingCentral_install>/conf/application.properties file.
Configuring the Access Token Manager for PingCentral
- In PingFederate, go to and click Create New Instance.
On the Instance Configuration tab, add one or more
symmetric keys, signing certificates, or both.
Click Add a new row to... or click
Update to modify an existing entry.
Important: The Key ID field values must be unique across all JSON-token management instances, including child instances.
If you have not yet created or imported your certificate into
PingFederate, click Manage Signing Certificates
and complete the task.
Note: To use an RSA-based algorithm for JSON web signature (JWS), the key size of the signing certificate must be at least 2,048 bits. For an EC-based JWS algorithm, the key size depends on the chosen algorithm.
- Click Add a new row to... or click Update to modify an existing entry.
On the Instance Configuration tab, select the Use
Centralized Signing Key option.
Select Show Advanced Fields and specify the path in the
JWKS Endpoint Path field. This setp is optional when
an algorithm is selected in the JWE Algorithm list.
This path must be explicitly configured in PingCentral. See Configuring resource server functionality.
If you define either or both of the issuer or audience claim values within the
access token manager, you can configure PingCentral to validate them.
These claim values are also defined in the Issuer Claim Value and Audience Claim Value fields.